Secure Your REST API (The Right Way)

We already showed you how to build a Beautiful REST+JSON API(http://www.slideshare.net/stormpath/rest-jsonapis), but how do you secure your API? At Stormpath we spent 18 months researching best practices, implementing them in the Stormpath API, and figuring out what works. Here’s our playbook on how to secure a REST API.

Hi..I'm developing Rest Api call using oauth plugin. May i know whether the authentication response will be obtained without redirecting to google login?. I have tried with some basic examples , the code is redirected to google site for authentication.

13.
Ok, now that’s out of the way
• Please avoid Basic Authc if you can.
• Favor HMAC-SHA256 digest algorithms over
bearer token algorithms
• Use Oauth 1.0a or Oauth 2 (preferably MAC)
• Only use a custom scheme if you really,
really know what you’re doing.
Learn more at Stormpath.com

18.
HTTP Authorization: OAuth
• OAuth is an authorization protocol, NOT
an authentication or SSO protocol.
• “Can I see User X’s email address please?”
NOT:
• “I want to authenticate User X w/ this
username and password”
• People still try to use OAuth for
authentication (OpenId Connect)
Learn more at Stormpath.com

19.
HTTP Authorization: OAuth
• When OAuth 2 is a good fit:
• If your REST clients do NOT own the data
they are attempting to read
• When Oauth 2 isn’t as good of a fit:
• If your REST client owns the data it is
reading
• Could still be fine if you’re willing to incur
some additional overhead
Learn more at Stormpath.com

20.
HTTP Authorization: JWT
• JWT = JSON Web Token
• Very new spec, but clean & simple
• JWTs can be digitally signed and/or
encrypted, and are URL friendly.
• Can be used as Bearer Tokens and for SSO
Learn more at Stormpath.com

31.
Redirects and Forwards
• Avoid redirects and forwards if possible
• If used, validate the value and ensure
authorized for the current user.
foo.com/redirect.jsp?url=evil.com
foo.com/whatever.jsp?fwd=admin.jsp
Learn more at Stormpath.com

33.
TLS
• Use TLS for everything
• Once electing to TLS:
– Never revert
– Never switch back and forth
• Cookies: set the ‘secure’ and ‘httpOnly’
flags for secure cookies
• Backend/infrastructure connections use
TLS too
Learn more at Stormpath.com